Certified Adversarial Robustness via Anisotropic Randomized Smoothing
This work addresses the limitation of existing randomized smoothing methods in providing optimal protection for all inputs, offering a domain-specific improvement for adversarial robustness in machine learning.
The paper tackles the problem of certified adversarial robustness by proposing anisotropic randomized smoothing, which uses pixel-wise noise distributions instead of fixed i.i.d. noise, and demonstrates significant outperformance over state-of-the-art methods in experiments.
Randomized smoothing has achieved great success for certified robustness against adversarial perturbations. Given any arbitrary classifier, randomized smoothing can guarantee the classifier's prediction over the perturbed input with provable robustness bound by injecting noise into the classifier. However, all of the existing methods rely on fixed i.i.d. probability distribution to generate noise for all dimensions of the data (e.g., all the pixels in an image), which ignores the heterogeneity of inputs and data dimensions. Thus, existing randomized smoothing methods cannot provide optimal protection for all the inputs. To address this limitation, we propose a novel anisotropic randomized smoothing method which ensures provable robustness guarantee based on pixel-wise noise distributions. Also, we design a novel CNN-based noise generator to efficiently fine-tune the pixel-wise noise distributions for all the pixels in each input. Experimental results demonstrate that our method significantly outperforms the state-of-the-art randomized smoothing methods.